Improper Privilege Management in dotcms/core

Valid

Reported on

Dec 6th 2021


Description

Hello team, I found a SSTI that allow me to get Full Privilege Escalation (system user)

  1. While editing a template we have total access to the User and UserModel classes via $user
  2. One of the UserModel methods is called setUserId
  3. If we call setUserId and pass "system" as parameter we get access to the system user role
  4. To exploit this flaw we need a user with the following permissions/role:
    • Active; Back-end User
    • Back-end Users need the following permissions:
      • View: Sites, Pages, Templates
      • Edit: Templates

The exploitation is easy, but the user permissions/role is a little hard to set, so I made a video showing how to set the permissions and exploit the flawa

Proof of Concept

$user.setUserId("system")

Youtube link unlisted

Impact

We can get full access to the application with a user with little privileges

We are processing your report and will contact the dotcms/core team within 24 hours. 2 months ago
We have contacted a member of the dotcms/core team and are waiting to hear back 2 months ago
Vinicius
2 months ago

Researcher


Just a clarification, this change is not saved in the database, only during the session, if you log out you will "lose" the permissions again. After getting the permission you want you can change your user to CMS admin directly through the interface, or you can redo the attack whenever you login

We have sent a follow up to the dotcms/core team. We will try again in 7 days. 2 months ago
Will Ezell validated this vulnerability a month ago
Vinicius Ribeiro Ferreira da Silva has been awarded the disclosure bounty
The fix bounty is now up for grabs
Will Ezell confirmed that a fix has been merged on 2c9b40 a month ago
The fix bounty has been dropped
Vinicius
a month ago

Researcher


Hy Will, can i request a CVE for this report? I think the flaw is serious enough